https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325918#M60601 <P>Hi,<BR /> We are planning to forward Windows events logs from Splunk to RSA.<BR /> <A href="https://answers.splunk.com/answers/581066/how-splunk-can-send-data-to-third-party-system-spe.html">https://answers.splunk.com/answers/581066/how-splunk-can-send-data-to-third-party-system-spe.html</A></P> <P>We already did the three approaches mentioned above and they were not working. We are trying to send data from Splunk to syslogng server and from there -- RSA collects data?</P> <P>Is there any process of sending logs from Splunk to syslogng server?</P> <P>Any help, please?</P> Wed, 25 Oct 2017 13:15:30 GMT splunker969 2017-10-25T13:15:30Z https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325918#M60601 <P>Hi,<BR /> We are planning to forward Windows events logs from Splunk to RSA.<BR /> <A href="https://answers.splunk.com/answers/581066/how-splunk-can-send-data-to-third-party-system-spe.html">https://answers.splunk.com/answers/581066/how-splunk-can-send-data-to-third-party-system-spe.html</A></P> <P>We already did the three approaches mentioned above and they were not working. We are trying to send data from Splunk to syslogng server and from there -- RSA collects data?</P> <P>Is there any process of sending logs from Splunk to syslogng server?</P> <P>Any help, please?</P> Wed, 25 Oct 2017 13:15:30 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325918#M60601 splunker969 2017-10-25T13:15:30Z https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325919#M60602 <P>You can take a look at <A href="https://splunkbase.splunk.com/app/1847/">this app</A> and its documentation to see if that would help you meet your needs. It's a search-based approach to forward data via SYSLOG specifically built for 3rd-party SIEM integrations.</P> <P>That aside: If you followed the documentation <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Forwarddatatothird-partysystemsd#Syslog_data">here</A> and it didn't work for you, can you explain what issue you were experiencing? Maybe we can collectively get you on the right track.</P> Wed, 25 Oct 2017 18:23:58 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325919#M60602 s2_splunk 2017-10-25T18:23:58Z https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325920#M60603 <P>Hi SSievert ,</P> <P>We are now seeing traffic leave our Indexers when monitoring the interface via tcpdump . However RSA is not able to parse the data, even though the field mappings appear correct and in line with CEF standards template.</P> <P>We suspect this may be because there is no priority value at the beginning of these events (which RSA needs apparently</P> <P>From what I can see, the Splunk app for CEF configures the output.conf to use tcpout as the processor (instead of syslog). Could you confirm if this is correct and if so, would it be possible to change this to syslog?</P> <P>Would really appreciate any help and support you can provide in this matter@ssievert </P> <P>Thanks.</P> Mon, 30 Oct 2017 18:00:09 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325920#M60603 splunker969 2017-10-30T18:00:09Z https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325921#M60604 <P>Can you share the outputs.conf? <BR /> Do you have a section that looks like this:<BR /> [syslog:myRSAservers]<BR /> type=tcp<BR /> priority=nn<BR /> etc.<BR /> as documented <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#Syslog_output----">here</A>?</P> Mon, 30 Oct 2017 19:08:30 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325921#M60604 s2_splunk 2017-10-30T19:08:30Z https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325922#M60605 <P>I believe app only build to send data tcp routing @ssievert .Also please find below outputs.conf<BR /> [tcpout:RSA_Netwitness]<BR /> Server =ip:port<BR /> blockONClonning= 5<BR /> sendCookedData=false</P> Mon, 30 Oct 2017 20:02:34 GMT https://community.splunk.com/t5/Getting-Data-In/What-is-best-process-of-sending-logs-from-Splunk-to-syslogng/m-p/325922#M60605 splunker969 2017-10-30T20:02:34Z